NIST-800-171 & SPRS: Is Your Organization Compliant?
Organizations across the United States that store sensitive or even processes unclassified information on the government’s behalf must be compliant with NIST-800-171 (National Institute of Standards and Technology Special Publication 800-171). It includes organizations that serve government agencies, research institutes and universities receiving federal grants, and DoD (Department of Defense) contractors.
What is NIST-800-171?
The NIST-800-171 is a series of cybersecurity practices and standards for non-federal companies that store or manage CUI (Controlled Unclassified Information). The NIST-800-171 was first published back in June 2015 by NIST, and it continuously receives new updates based on the changing technologies.
Purpose of NIST-800-171
NIST-800-171 aims to safeguard controlled unclassified information in the IT systems of subcontractors and contractors working with the government. It outlines the procedures and practices that these contractors need to adhere to, and it applies to only those parts of the IT systems where CUI is present. Latest NIST-800-171 Requirements
How to Submit for SPRS Assessment?
On 29th September 2020, the DoD suppliers were notified regarding the latest DFARS (Defense Federal Acquisition Regulation Supplement) Interim Rule. It was created for collecting the NIST-800-171 assessment scores from Department of Defense contractors. In order to determine their security assessment score, all the DoD contractors need to submit to the SPRS (Supplier Performance Risk System).
It's important to bear in mind that the DFARS Interim Rule has now successfully become law, and if you're a DoD contractor or NIST-800-171 is applied to your institute, you need to submit your security assessment score to the government in order to keep your institute from lost DoD revenue. For your convenience, we have created a step-by-step guide that you can use for SPRS assessment submission.
Step One: Create Your Account
The first and the obvious step is to open the official PIEE website and click on the “REGISTER” button. You can find it in the top-right section of the main website page.
Now the system will show you the “Terms and Conditions” and the “Privacy Act Statement” that you’ll need to accept by clicking on the “Agree” button.
Now the system will take you to another page where you’ll need to select the “Vendor” from all the available options.
Here you’ll need to select the “User ID\Password” option from the very first dropdown list. You can also use your company’s Common Access Certificate or card if you have one.
The system will then ask you to select three security questions and answer them. You'll also need to write the same answer for confirmation purposes and then click on the "Next" button.
On the next page, you’ll need to enter your name along with the contact information that must match your legal documents.
The next step is to enter the supervisor information, which is optional, but it might help you while being reviewed. You'll also need to enter "Company Information," and that'll complete the account creation process.
Step Two: Access SPRS (Supplier Performance Risk System)
This is a little tricky part, and you'll need to be very careful while performing it. After creating the account, you'll see the following page where you'll need to select the "SPRS - Supplier Performance Risk System” option from the first dropdown menu.
After selecting the “SPRS - Supplier Performance Risk System” option, you’ll see the option in the second field (Roles) has changed. You'll most probably have a couple of options, and you'll need to select the "SPRS Cyber Vendor User."
Step Three: Adding Roles
The next step is to add roles that you can achieve by clicking on the "Add Roles" button available on the right-hand side of the previously selected options. After clicking on this button, you'll see a line that will appear below these options. In this line, you’ll see the “Location Coder” field where you’ll need to write your company’s CAGE code.
You'll need to click on the "Add Roles" button again if you have multiple CAGE codes, and once done, click on the "Next" button.
Now the system will take you to the next page, where you'll need to enter the justification of your account. You’ll also need to use the attachments for identification or justification. Bear in mind that you must not attach your personal assessment here.
Step Four: Agreement Completion
Once you have completed the steps mentioned above successfully, you’ll receive your account approval. You’ll need to use that to complete the agreement process.
Note: If your company doesn't have any CAGE code, then you won't be able to complete the profile.
Step Five: CAGE Code Admin Approval
After the registration process, you’ll need an admin linked with the CAGE code to approve your account. If you don’t know who that person is then, you’ll need to again open your PIEE account and go to the “Find My Account Administrator” option from the main page. This option will be available under the “Need Help with Your Account?” option.
The CAGE code administrator will approve your account registration, and after that, you’ll be able to submit your score.
Step Six: Submission of Assessment Score
You’ll again need to log in to your account by going to the PIEE website and click on the SPRS icon. Here you'll need to choose the "NIST SP 800-171 from the available list. You'll need to choose the company name, and after that, you'll need to click on the "Add New Assessment" option from the available menu. Here the system will ask you to enter the assessment details, and you'll need to click on the "Save" button.
Where To Go From Here?
There you have it. You have now successfully submitted the security assessment of your organization based on the DFARS rule.